mirror of
https://github.com/actualbudget/actual.git
synced 2026-03-09 03:32:54 -05:00
9966c024cb
* [AI] Enforce file access authorization on sync API endpoints Co-authored-by: Cursor <cursoragent@cursor.com> * Refactor file deletion authorization to return error message as text * Refactor file upload validation to improve error handling * Add tests to allow admin users to retrieve encryption keys and sync files for other users - Implemented a test for admin access to retrieve encryption keys for another user's file in the /user-get-key endpoint. - Added a test for admin users to sync another user's file in the /sync endpoint, ensuring proper response and headers. These changes enhance the authorization checks for admin actions on user files. * Refactor file cleanup in tests to use onTestFinished for better error handling * Enhance admin capabilities in file management tests * Add migration to backfill file owners with admin ID * Enhance file access authorization in sync API * Update migration to backfill file owners with admin ID to ensure consistent ordering in the query * Refactor access control tests for file downloads in sync API * Add test for non-owner file download access via user_access in sync API This test verifies that users with appropriate access can download files owned by others, utilizing the requireFileAccess logic and UserService.countUserAccess. It ensures correct response headers and content delivery for shared files. * Refactor file cleanup in upload and download tests to utilize onTestFinished for improved error handling This update consolidates file cleanup logic in the test suite, ensuring that temporary files are removed after each test execution. The changes enhance the reliability of tests by consistently managing file state across various scenarios. --------- Co-authored-by: Cursor <cursoragent@cursor.com>
See the Writing Good Release Notes section of the README for the documentation repo for more information on how to create a release notes file here.